Another day, another cleanup. This morning’s cleanup was described by a new customer like this: “It’s broken. We can’t run our customer database program. The night staff keeps surfing the internet, and loading spyware, so that’s probably it.”

What I found was a computer that, on first look, had shortcuts to software on a drive “y:\” but had no mapped drives, and that was a member of a network named “MSHOME”, which is the default name for new peer-to-peer networks under the Windows XP “run me and I’ll change all your settings back to defaults” network wizard. There was no apparent connection to the network. “System Idle Process” was at 96 to 98%. There was clearly some spyware there, and a peer-to-peer music program, but they didn’t appear to be taking many cycles in Task Manager.

OK, next, ran HijackThis==the log is three pages long; it should be half a page. The customer created their own doorstop. There were four anti-spyware programs running–all trial versions, and an anti-virus program which included anti-spyware features. The anti-virus software was the product installed by Dell at the factory, and long past the 90-day trial. Overall, the anti-spyware had stopped the spyware from running, and from connecting to the network, in much the same way that a very large boulder, when strategically placed on the roof of a car, will act as a parking brake.

After over an hour, I’d chiseled and uninstalled and ripped out junk in Safe Mode until the task list was down to the absolute basics. Replaced the antivirus software, added parental control software to restrict internet access by password, did a scan, and the new Mcaffee antivirus (freeware, if you’re a Comcast customer) reported that it had found two pups. Right–it no longer searches for malware, but for pups. That’s “Potentially Unwanted Programs.” Mustn’t insult the spyware by putting a negative label on it–this is more software written by lawyers.

At some point, consumers are going to have to learn about autoplays and startupware. When they do, if you are a software author whose products autostart without a very good reason, it’s not going to stay installed past a very short trial. And if it does, I’ll personally rip it out as non-essential during the next spyware/virus/generic doorstop service call, because over and over, I’ve seen this pattern of multiple tools to do the same task all running as startupware and adding to the problem. And I’m not alone; every field tech I’ve spoken to does the same. Software must only run when asked to, it should self-repair if needed, and maybe, just maybe, customers won’t blame it when they’ve turned their computers into doorstops.

The newest security issue for Windows is the WMF hole. First, a little history. WMF is the acronym for a Windows Meta File. That’s an old graphics format, vector style. Vector art is drawn by the computer, based on code in the file. (The other kind of graphics is a bitmap, like JPG.) Of course, vector art includes computer instructions, so of course code can hide in there.

However, in this case, it’s not the infamous buffer overrun. Not to get too techical, that’s what happens when you put 52 clowns in a clown car–the extra clowns get squeeeezzzzed out somewhere else, and goes into some other part of Windows, where it runs commands that aren’t so artistic.

So the WMF flaw isn’t an overrun. Turns out, it’s something much more basic. There is a feature in the WMF format that if the draw process has an error, it can run a program. Errors are easy. Now to be fair to Microsoft, WMF files date back to the eighties. They, like lots of other throwbacks to DOS, have been carried along for years as a tribute to compatibility with older versions of, well, just about everything.

There is a lot of bad reporting going on for this topic–the reliable source is the US Computer Emergency Readiness Team:
www.us-cert.gov/current/current_activity.html#0dayWMF

First, the antivirus companies are on top of this, although they are using their usual spell-check/dictionary approach to such things; they’ll catch what they recognize as evil by spelling out a few key letters from the code of anything that Windows tries to run, copy, or save. Anything truly new won’t be caught until hours or days have passed, so an actual patch or workaround is preferable.

Here’s the manual method of disabling WMF files, according to Microsoft; note that it will disable fax viewing and thumbnail views of graphics. (To catalog your clipart, including WMF files, SAFELY, visit www.graphcat.com.)

To un-register Shimgvw.dll, follow these steps:
1. Click Start, click Run, type “regsvr32 -u %windir%\system32\shimgvw.dll” (without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Microsoft has announced a patch for the WMF exploit will be out during January, after testing and localization (translation). But there are hackers, crackers, and bot farmers out there now with active viruses, worms, and spyware either in the wild or on the way, so a patch would be nice sooner than that.

Ilfak Guilfanov of hexblog.com has created a third-party hotfix, vulnerability checker, and a silent hotfix installer.